2

I am doing some kind of unsubscribe page.

My idea is using the get method with encryption. for example:

unsubscribe.php?mail=xxxxxxxxxxxxxxxx&uid=xxxxxxxxxxxxxxxxxx

It can automatically unsubscibe the receiver once he click the link.

I am going to encrypt the data using sha1 so the problem is

1) is it secure? 2) Whether i have to make a extra 2 field for the encrypted uid and mail address?

Thank you

user782104
  • 13,233
  • 55
  • 172
  • 312

2 Answers2

5

Don't encrypt - create a random key instead, which you store in your database and retrieve when the user arrives at the unsubscribe link! Much easier and safer.

email            |   random_key
-------------------------------
pekka@gmx.de     | dsadfdsfsaf2
gnoggo@gnoggo.com| dfssf32e34fa

the unsubscribe link:

unsubscribe.php?key=dfssf32e34fa  <---- gnoggo@gnoggo.com
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Should i generate the code for each mail or use only one code for every mail send to him? – user782104 Feb 24 '12 at 17:56
  • It get more and more complicated if i use a different code for a same receiver in different mail campagin... – user782104 Feb 24 '12 at 17:57
  • @user always generate a new code. Remove it after it's been used. I – Pekka Feb 24 '12 at 17:57
  • @user ah, that's different. I suppose there is no harm in having one random key per recipient ... although permanent undelete links provide some opportunity for misuse (e.g. when a user forwards an E-Mail). Maybe you'll need to put a timeout on the links, or add another layer of protection – Pekka Feb 24 '12 at 17:57
  • @Pekka: the only problem with always generating new codes, is that the old one is expired. Therefore, if someone clicks unsubscribe when going through his old email, it may not work. And that's not a good thing... – ircmaxell Feb 24 '12 at 18:01
  • @ircmaxell well, it depends a bit. People like to forward E-Mail, and other recipients being able to unsubscribe you from the list (maybe even without you knowing) isn't cool.... If there's no password protection, things are difficult – Pekka Feb 24 '12 at 18:04
  • @Pekka: no argument. Just pointing out that expiring them is not foolproof either. I guess it really depends on what exactly your requirements are. But with spam handling, I'd rather error on the side of removing too easily than the other way around... – ircmaxell Feb 24 '12 at 18:05
  • Do you know how long can i keep the subscribe person data? eg. If the person subscribe, they have to fill in form and wait for confirmation email, if they don;t click the confirmation link in the mail, how long can/ should i store his mail address and related information? – user782104 Feb 24 '12 at 18:09
  • You have point out that people can unsubscribe other subscriber when the mail is forwarded to them. how can i prevent that? – user782104 Feb 24 '12 at 18:11
  • @user only through another layer of security. Some services send *another* confirmation E-Mail when you click the link – Pekka Feb 24 '12 at 18:47
4

Absolultely not!

Do not encrypt the user's data like that. You're doing nothing but needlessly exposing user data to the public.

Besides hashing is not encryption...

Instead, create a long random string (at least 40 characters), and store it in the database for that user. Then add that to the mail unsubscribe link. That way, there's no chance of data leakage...

To generate the random string, you can use a function similar to this:

function makeRandomString($bytes) {
    $seed = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $len = strlen($seed) - 1;
    $return = '';
    for ($i = 0; $i < $bytes; $i++) {
        $return .= $seed[mt_rand(0, $len)];
    }
    return $return;
}

$random = makeRandomString(40); // 40 character random string...
Community
  • 1
  • 1
ircmaxell
  • 163,128
  • 34
  • 264
  • 314
  • php function rand(min,max) can used? – user782104 Feb 24 '12 at 18:00
  • sorry, i found that it generate a random number only – user782104 Feb 24 '12 at 18:02
  • and i should handle the code if there is collision..... (the code generated is already exist) – user782104 Feb 24 '12 at 18:03
  • @user782104: correct. Make a random string, and check for collisions before setting it. Althought statistically, you'd need to generate a LOT of codes before you'd get a collision (but then again, one in a million is next tuesday, so it's worth checking)... – ircmaxell Feb 24 '12 at 18:04